The present invention relates to a network technology, particularly to an access authentication method suitable for wired and wireless networks.
To date, there are a variety of networks available that provide resources in various ways for users to use. In terms of physical media, the mode of network access includes ADSL, HomePNA, Cable Modem, VDSL and Ethernet. Of them the Ethernet, being inexpensive and having broader band, has gradually become the main mode of broadband network access, and ADSL, making use of the available telephone lines, has become the main mode of network access for users living in residential areas and working in small/home offices. There are these forms of wireless network accesses, such as IEEE 802.11 for wireless LAN, IEEE 802.16 for broadband wireless access, IEEE 802.20 for mobile broadband wireless access, GSM global mobile communication system, and the 3G mobile communication.
Any network accessing, be it a wired or wireless network access, requires a method of authentication between users and the network. Every mode of access provides its own method of authentication, and these methods have something in common, and are different from one another as well.
There are mainly three methods of user authentication in the available broadband wired access: PPPoE, Web/Portal and 802.1x. They are all one-way authentication that is, authenticating the users only, and the users unconditionally trust the network. The user's trust in a network is ensured through physical line connection. However, in the authentication methods of PPPoE and 802.1x, the Extensible Authentication Protocol (EAP) authentication method has begun to be used to support a two-way authentication.
At present, the link encryption methods are not used in wired access networks. Of these methods, the Web/Portal authentication method cannot produce a session key, nor does it support the binding of the user and session key, and link encryption. By contrast, the PPPoE and 802.1x authentication methods both support the link encryption, but they are usually not used.
The security is a far more serious matter in a wireless network than in a wired network, and all sorts of wireless technologies use authentication and link encryption to achieve security.
IEEE 802.11 initially used the authentication and encryption method based on the statically shared key + the Wired Equivalent Privacy (WEP), and IEEE 802.16 used a one-way authentication method based on public-key authentication. Neither of the methods is now adaptable to the present needs. Now, IEEE 802.11 has adopted new security methods: WiFi Protected Access (WPA)/IEEE 802.11i and WLAN Authentication and Privacy Infrastructure (WAPI). Besides, IEEE 802.16 has also set up a new working group IEEE 802.16e to improve the former IEEE 802.16 technology, the security method included.
WPA/802.11i uses the 802.1x+EPA security technology; the WAPI security system uses the public key technology, the authentication server in the WAPI is used for authentication and management of certificates. Both a mobile terminal and wireless access point are provided public-key certificates issued by the identification server, as a proof of its own digital identity. When a mobile terminal logs onto a wireless access point, the two must check each other's identity with the authentication server.
As for the IEEE 802.16e, its draft form is now still under discussion. Its authentication method, representing an improvement of IEEE 802.16, supports a two-way authentication, but its specific method to be used is now still under discussion.
GSM is a second-generation mobile communication technology, adopting an symmetrical key based one-way authentication technology. 3G is a third generation mobile communication technology whose authentication technology represents an improvement of the authentication technology of GSM and supports the two-way authentication.
As the foregoing analysis shows, for both wired and wireless network, authentication is quite necessary. The ongoing trend is that a user uses different network access mode to visit network resources, but he hopes to use one identity for authentication. Using one identity for authentication will require convergence of the authentication methods, which poses new demand to the authentication methods now in existence. For that reason, it is very necessary to integrate the authentication methods now in use and establish an authentication method suitable for wired and wireless networks.
However, all the above-mentioned authentication methods are not suitable for meeting the demand for authentication with one identity. The symmetric-key-based authentication methods represented by GSM/3G are so complicated in their key management that it is very difficult to meet the requirement of a user to access several networks with just one identity. The IEEE 802.16 authentication method relies on the Public Key Infrastructure (PKI) system. A difficulty exists with the application of the PKI technology to an access system: since the PKI technology implies distributive accesses, a user may access a plurality of indefinite resources. In its access system, however, before the authentication successes, the user terminal is not allowed to access the resources, or is just allowed to access limited or definite resources. This makes it possible only for the authentication method of IEEE 802.16 to achieve one-way authentication.
The 802.1x+EAP authentication methods as represented by IEEE 802.11i supports the symmetrical key_and public key authentication method. Said method is one in which the authentication server carries on key negotiation directly with a user terminal, then, the authentication server sends to the access point the key derived from the negotiation, and the user terminal and the access point carry on the authentication and session key negotiation based on the dynamically shared key with each other. The authentication technology, now widely applied, is a relatively mature technology, but it still has its own problems:
1. The structure of IEEE 802.1x is not a symmetrical one. The user terminal and access point differ considerably in function. The user terminal does not have the terminal control function, while the access point does not have the authentication function, so authentication is performed between the user terminal and authentication server. While the authentication server may be implemented in the same system with the access point, this will greatly reduce the advantage of IEEE 802.1x in centralized control of the access points.
2. The extensibility is poor. Between each access point and authentication server there is a pre-defined security tunnel. The more security tunnel, the more resources of the authentication server system will be consumed, the more complicated the management is; hence it is not advisable to arrange a large number of security tunnels, otherwise, the network extensibility would be limited.
3. The key negotiation process is complicated. A key is used for protecting data between the user terminal and access point, but negotiation is first required between the user terminal and authentication server and then between the user terminal and access point.
4. New attack point is to be introduced, with lowered security. The main key derived from negotiation between a user terminal and authentication server is transmitted to an access point by the authentication server. With the key passing on the network, new security attack points are introduced.
5. Authentication terminal does not have an independent identity. For a user terminal, the identities of the authentication terminal managed by the same authentication server are indistinguishable. Extra functional entities have to be added in the application environment where it is necessary to distinguish one identity from another. This would make things more complicated.
As the above analysis shows, the existing access authentication methods cannot meet our needs.